Scaling Single Sign-On in Cumulocity IoT: Challenges and Solution Approach

Introduction

Effective identity management is paramount in the IoT sphere, where access control can become complex due to the diverse and numerous tenants. As Cumulocity IoT is not capable out-of-the-box to distribute SSO configurations to various tenants, this article describes a solution how to extend the standard functionalities to do so. The following figures explain the advantages from a user’s perspective.

As-Is Solution

Screenshot 2023-12-12 at 10.43.221373×774 51.4 KB

Extended Solution

Screenshot 2023-12-12 at 10.42.031373×774 71.3 KB

Business Challenges

• Fragmented Access Control: With no central access control or transparency, managing permissions across tenants becomes chaotic and insecure.

• Intensive Setup Requirements: Establishing the correct privileges requires a high investment of time and resources for each identity within the tenants.

• Complex Maintenance: The absence of streamlined processes increases the difficulty of maintaining and updating access privileges tenant overarching.

Use Cases for SSO in Cumulocity IoT

• Org Admin & Solution Provider: Central administrators and solution providers require cross-tenant access to efficiently manage and support customer tenants.

• Development/Operations Partner: These partners need dynamic access for the development and operational management of IoT solutions across various tenants.

• Multi-Tenant End Users: End users’ access to services depends on the proper allocation of privileges across the tenants, necessitating a flexible SSO system.

The Microservice Solution

The cumulocity-provision-sso microservice is a Java-based application that addresses these challenges by automating the SSO configuration for subtenants within Cumulocity IoT. It serves as a centralized point for distributing SSO settings, thus enhancing security and user experience.

Overview and Architecture

This microservice enables the propagation of SSO configurations from a Parent Tenant to Child Tenants, ensuring that new tenants automatically receive the necessary SSO setup upon subscription of the microservice. The architecture is designed to manage this distribution efficiently, as represented in the microservice documentation’s mermaid diagram.

Prerequisites and Installation

Before installation, the microservice feature must be subscribed to in the Cumulocity IoT Parent Tenant, and administrative privileges are required. Installation involves uploading the latest binary release to the Tenant through the Administration App. The necessary components and more detailed instructions can be found in the repository, which is accessible at SoftwareAG/cumulocity-provision-sso.

Operation

Once subscribed to a tenant, the microservice ensures the SSO configuration is applied, streamlining the process of SSO management and maintaining consistent access control across all subtenants.

Conclusion

The integration of the cumulocity-provision-sso microservice marks a pivotal advancement in managing Single Sign-On configurations within Cumulocity IoT. It mitigates the previously outlined challenges by providing a centralized, automated solution for SSO provisioning, perfectly aligning with the identified use cases. The microservice is a testament to Cumulocity IoT’s commitment to security, scalability, and user experience.

Related Content

• Administration - Cumulocity IoT Guides
• GitHub - SoftwareAG/cumulocity-provision-sso
• How to simplify login authentication when switching between multiple tenants/subtenants
• Cumulocity IoT SSO Integration with Okta
• Using Auth0 as Single-Sign-On for Cumulocity IoT

Credits to:
@Murat_Bayram @Christof_Strack @yiz @Stefan_Witschel